800-53|AC-2

Title

ACCOUNT MANAGEMENT

Description

The organization:

Supplemental

Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training.

Reference Item Details

Related: AC-10,AC-17,AC-19,AC-20,AC-3,AC-4,AC-5,AC-6,AU-9,CM-11,CM-5,CM-6,IA-2,IA-4,IA-5,IA-8,MA-3,MA-4,MA-5,PL-4,SC-13

Category: ACCESS CONTROL

Family: ACCESS CONTROL

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1 Ensure a separate user and group exist for Cassandra - groupUnixCIS Apache Cassandra 3.11 L1 Unix Audit v1.0.0
1.1 Ensure a separate user and group exist for Cassandra - groupUnixCIS Apache Cassandra 3.11 L2 Unix Audit v1.0.0
1.1 Ensure a separate user and group exist for Cassandra - passwdUnixCIS Apache Cassandra 3.11 L2 Unix Audit v1.0.0
1.1 Ensure a separate user and group exist for Cassandra - passwdUnixCIS Apache Cassandra 3.11 L1 Unix Audit v1.0.0
1.1 Ensure a separate user and group exist for Cassandra - user exists in groupUnixCIS Apache Cassandra 3.11 L2 Unix Audit v1.0.0
1.1 Ensure a separate user and group exist for Cassandra - user exists in groupUnixCIS Apache Cassandra 3.11 L1 Unix Audit v1.0.0
1.1 Ensure single sign-on (SSO) is configured for your account / organizationSnowflakeCIS Snowflake Foundations v1.0.0 L1
1.1 Ensure that Corporate Login Credentials are UsedGCPCIS Google Cloud Platform v3.0.0 L1
1.1.1 Enable 'aaa new-model'CiscoCIS Cisco IOS XE 17.x v2.1.0 L1
1.1.1 Enable 'aaa new-model'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.1.1 Enable 'aaa new-model'CiscoCIS Cisco IOS XE 16.x v2.1.0 L1
1.1.1.1 Configure AAA Authentication - TACACS if applicableCiscoCIS Cisco NX-OS L1 v1.1.0
1.1.1.1 Ensure mounting of udf filesystems is disabledUnixCIS Google Container-Optimized OS v1.2.0 L2 Server
1.1.1.1 TACACS+CiscoCIS Cisco IOS XR 7.x v1.0.0 L2
1.1.1.2 Configure AAA Authentication - Local SSH keysCiscoCIS Cisco NX-OS L1 v1.1.0
1.1.1.2 RADIUSCiscoCIS Cisco IOS XR 7.x v1.0.0 L2
1.1.1.3 Configure AAA Authentication - RADIUS if applicableCiscoCIS Cisco NX-OS L1 v1.1.0
1.1.2 (L1) Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
1.1.2 Enable 'aaa authentication login'CiscoCIS Cisco IOS XE 17.x v2.1.0 L1
1.1.2 Enable 'aaa authentication login'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.1.2 Enable 'aaa authentication login'CiscoCIS Cisco IOS XE 16.x v2.1.0 L1
1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
1.1.2 Ensure only trusted users are allowed to control Docker daemonUnixCIS Docker v1.7.0 L1 Docker - Linux
1.1.2 Ensure two emergency access accounts have been definedmicrosoft_azureCIS Microsoft 365 Foundations E3 L1 v3.1.0
1.1.2.1 console authenticationCiscoCIS Cisco IOS XR 7.x v1.0.0 L1
1.1.2.1 vty line authenticationCiscoCIS Cisco NX-OS L1 v1.1.0
1.1.2.2 vty line authenticationCiscoCIS Cisco IOS XR 7.x v1.0.0 L1
1.1.3 (L1) Ensure 'Minimum password age' is set to '1 or more day(s)'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
1.1.3 Enable 'aaa authentication enable default'CiscoCIS Cisco IOS XE 17.x v2.1.0 L1
1.1.3 Enable 'aaa authentication enable default'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.1.3 Enable 'aaa authentication enable default'CiscoCIS Cisco IOS XE 16.x v2.1.0 L1
1.1.3 Ensure 'Minimum password age' is set to '1 or more day(s)'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
1.1.3 Ensure that between two and four global admins are designatedmicrosoft_azureCIS Microsoft 365 Foundations E3 L1 v3.1.0
1.1.3.1.2 Configure 'Accounts: Rename guest account'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.1.3 Set 'Accounts: Administrator account status' to 'Disabled'.WindowsCIS Windows 8 L1 v1.0.0
1.1.3.1.4 Configure 'Accounts: Rename administrator account'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.1.5 Set 'Accounts: Guest account status' to 'Disabled'WindowsCIS Windows 8 L1 v1.0.0
1.1.4 Ensure Guest Users are reviewed at least biweeklymicrosoft_azureCIS Microsoft 365 Foundations E3 L1 v3.1.0
1.1.4 Set 'login authentication for 'line con 0'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.1.4 Set 'login authentication for 'line vty'CiscoCIS Cisco IOS XE 17.x v2.1.0 L1
1.1.4 Set 'login authentication for 'line vty'CiscoCIS Cisco IOS XE 16.x v2.1.0 L1
1.1.4.1 exec accountingCiscoCIS Cisco IOS XR 7.x v1.0.0 L1
1.1.4.2 command accountingCiscoCIS Cisco IOS XR 7.x v1.0.0 L1
1.1.4.3 network accountingCiscoCIS Cisco IOS XR 7.x v1.0.0 L1
1.1.4.4 system accountingCiscoCIS Cisco IOS XR 7.x v1.0.0 L1
1.1.5 Ensure 'Password Policy' is enabledCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.1.5 Local users, groups and tasksCiscoCIS Cisco IOS XR 7.x v1.0.0 L2
1.1.5 Set 'login authentication for 'ip http'CiscoCIS Cisco IOS XE 16.x v2.1.0 L1
1.1.5 Set 'login authentication for 'ip http'CiscoCIS Cisco IOS XE 17.x v2.1.0 L1
1.1.5 Set 'login authentication for 'line tty'CiscoCIS Cisco IOS 15 L1 v4.1.1